Digikey Mail/ Protect your account!

[Uwe Bonnes]

Hello,

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

Bye

--
Uwe Bonnes bon@elektron.ikp.physik.tu-darmstadt.de

Institut fuer Kernphysik Schlossgartenstrasse 9 64289 Darmstadt
--------- Tel. 06151 1623569 ------- Fax. 06151 1623305 ---------

 

[Gerhard Hoffmann]

Am 28.07.19 um 14:18 schrieb Uwe Bonnes:

Hello,

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

I got that, too.
My auto-login does not work currently.
Earlier this week there was a banner that their servers would be down
for a day or so.

cheers, Gerhard

 

[Dimiter_Popoff]

On 7/28/2019 15:18, Uwe Bonnes wrote:

Hello,

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

Bye

I got that, too. Went to their site (not using any of the email) and
was prompted to use my old password and enter a new one. The new one had
to be somewhat longer, 8 alphanumeric IIRC.
Did it and it seemed to work. Have not ordered there recently, Mouser
beat them in that they handle the customs for you in the EU, I just
get the package delivered at my doorstep.

Dimiter

======================================================
Dimiter Popoff, TGI http://www.tgi-sci.com
======================================================
http://www.flickr.com/photos/didi_tgi/

 

[Winfield Hill]

Uwe Bonnes wrote...

today I got a mail from digikey to protect my account
and reset the password. Was It only me, or was there
a security issue at digikey?

I didn't get an email, but couldn't log on until I
changed my old password. It was 7 characters, now
they insisted on 8 or more. I used 9 characters.


--
Thanks,
- Win

 

[mpm]

On Sunday, July 28, 2019 at 8:18:17 AM UTC-4, Uwe Bonnes wrote:

Hello,

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

Looks like Digi-Key has started hiring millennial "programmers" weaned on Arduino.

 

[John Doe]

Uwe Bonnes <bon@hertz.ikp.physik.tu-darmstadt.de> wrote:

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at
digikey?

I got it a few days ago (I think).

That likely means it was sent to all their customers.

 

[Jeff Liebermann]

On 28 Jul 2019 12:18:13 GMT, Uwe Bonnes
<bon@hertz.ikp.physik.tu-darmstadt.de> wrote:

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

I received the same email today from Digikey. I dutifully changed my
password in the manner specified. I don't think there was a security
problem or we would have read something about it by now in the news.
My guess(tm) is that Digikey wants to know which accounts are still
active even though some may not have bothered to order anything for a
while. For example, I haven't ordered anything from Digikey in four
years. In a few months, Digikey can then purge their user list to
only those who bothered to change their password.


Drivel: Tracking cookies after logging into Digikey and Mouser.

Social Networks Ad Tracking Web Analytics

Digikey (none) Tealium Optimizely
Google Adsense ClickTale
Doubleclick Google Analytics

Mouser Facebook Doubleclick Google Analytics
Google Adsense Google GTM
Mediamind DG
BlueKai
Eloqua
Appnexus
Casale Media
Aggregate Knowledge



--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

 

[George Herold]

On Sunday, July 28, 2019 at 8:31:40 PM UTC-4, Jeff Liebermann wrote:

On 28 Jul 2019 12:18:13 GMT, Uwe Bonnes
bon@hertz.ikp.physik.tu-darmstadt.de> wrote:

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

I received the same email today from Digikey. I dutifully changed my
password in the manner specified. I don't think there was a security
problem or we would have read something about it by now in the news.
My guess(tm) is that Digikey wants to know which accounts are still
active even though some may not have bothered to order anything for a
while. For example, I haven't ordered anything from Digikey in four
years. In a few months, Digikey can then purge their user list to
only those who bothered to change their password.


Drivel: Tracking cookies after logging into Digikey and Mouser.

Social Networks Ad Tracking Web Analytics

Digikey (none) Tealium Optimizely
Google Adsense ClickTale
Doubleclick Google Analytics

Mouser Facebook Doubleclick Google Analytics
Google Adsense Google GTM
Mediamind DG
BlueKai
Eloqua
Appnexus
Casale Media
Aggregate Knowledge

Other drivel; I'm running windows 7, maybe once or twice a year DK's website
will start to 'misbehave' on me. (Starts screwing up my shopping cart and
things.) I have to delete all my cookies and such and it works again...
(I'm mostly a ludite when it comes to 'puters.)

GH

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

 

[Robert Baer]

Jeff Liebermann wrote:

On 28 Jul 2019 12:18:13 GMT, Uwe Bonnes
bon@hertz.ikp.physik.tu-darmstadt.de> wrote:

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

I received the same email today from Digikey. I dutifully changed my
password in the manner specified. I don't think there was a security
problem or we would have read something about it by now in the news.
My guess(tm) is that Digikey wants to know which accounts are still
active even though some may not have bothered to order anything for a
while. For example, I haven't ordered anything from Digikey in four
years. In a few months, Digikey can then purge their user list to
only those who bothered to change their password.


Drivel: Tracking cookies after logging into Digikey and Mouser.

Social Networks Ad Tracking Web Analytics

Digikey (none) Tealium Optimizely
Google Adsense ClickTale
Doubleclick Google Analytics

Mouser Facebook Doubleclick Google Analytics
Google Adsense Google GTM
Mediamind DG
BlueKai
Eloqua
Appnexus
Casale Media
Aggregate Knowledge

Please tell me how you created that list.
Thanks.

 

[Robert Baer]

Uwe Bonnes wrote:

Hello,

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

Bye

Likely to be a fake and have a nasty payload behind it...

 

[Winfield Hill]

Robert Baer wrote...

Uwe Bonnes wrote:

today I got a mail from digikey to protect my account and
reset the password. Was It only me, or was there a security
issue at Digikey?

Likely to be a fake and have a nasty payload behind it...

No, it was real, but only if your password was less than
8 characters long. I didn't get an email, but went to
their website immediately got a page saying I needed to
update my password (7 chars), which I did (to 9 chars).


--
Thanks,
- Win

 

[bitrex]

On 7/29/19 4:15 PM, Winfield Hill wrote:

Robert Baer wrote...

Uwe Bonnes wrote:

today I got a mail from digikey to protect my account and
reset the password. Was It only me, or was there a security
issue at Digikey?

Likely to be a fake and have a nasty payload behind it...

No, it was real, but only if your password was less than
8 characters long. I didn't get an email, but went to
their website immediately got a page saying I needed to
update my password (7 chars), which I did (to 9 chars).

maybe they read that thread about how all passwords of any combination
of alphanumeric characters length 10 and under are trivially breakable
off-line by direct hash and look-up, the rainbow table is only 300 gigs
in size.

and all ASCII character set passwords of length 7 are probably off-line
breakable via brute force exhaustive search in minutes

 

[Tom Gardner]

On 29/07/19 22:04, Robert Baer wrote:

Jeff Liebermann wrote:
On 28 Jul 2019 12:18:13 GMT, Uwe Bonnes
bon@hertz.ikp.physik.tu-darmstadt.de> wrote:

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

I received the same email today from Digikey.  I dutifully changed my
password in the manner specified.  I don't think there was a security
problem or we would have read something about it by now in the news.
My guess(tm) is that Digikey wants to know which accounts are still
active even though some may not have bothered to order anything for a
while.  For example, I haven't ordered anything from Digikey in four
years.  In a few months, Digikey can then purge their user list to
only those who bothered to change their password.


Drivel:  Tracking cookies after logging into Digikey and Mouser.

               Social Networks    Ad Tracking       Web Analytics

Digikey       (none)             Tealium           Optimizely
                                  Google Adsense    ClickTale
                                  Doubleclick       Google Analytics

Mouser        Facebook           Doubleclick       Google Analytics
                                  Google Adsense    Google GTM
                                  Mediamind DG
                                  BlueKai
                                  Eloqua
                                  Appnexus
                                  Casale Media
                                  Aggregate Knowledge



  Please tell me how you created that list.
  Thanks.

One technique is to run the "noscript" plugin.

When you load a page http:x/a, it shows which sites try
to load and run javascript, and gives you the option of
allowing a site permanently or for this browser session.

Frequently you see 20 or more(!) "strange" sites(i.e.
nothing to do with x) being invoked. Usually you want
to enable site x, but the others?

Facebook and twitter are almost always there - and that's
how they track your activity, whether or not you have a
farcebook account. Ditto google, albeit via tools that
many websites find useful to help with their operation.

Yes, it slows down browsing a little, but it is revealing
and entertaining in a tinfoil-hat sort of way.

 

[Jeff Liebermann]

On Mon, 29 Jul 2019 13:04:10 -0800, Robert Baer
<robertbaer@localnet.com> wrote:

Jeff Liebermann wrote:
On 28 Jul 2019 12:18:13 GMT, Uwe Bonnes
bon@hertz.ikp.physik.tu-darmstadt.de> wrote:

today I got a mail from digikey to protect my account and reset
the password. Was It only me, or was there a security issue at digikey?

I received the same email today from Digikey. I dutifully changed my
password in the manner specified. I don't think there was a security
problem or we would have read something about it by now in the news.
My guess(tm) is that Digikey wants to know which accounts are still
active even though some may not have bothered to order anything for a
while. For example, I haven't ordered anything from Digikey in four
years. In a few months, Digikey can then purge their user list to
only those who bothered to change their password.


Drivel: Tracking cookies after logging into Digikey and Mouser.

Social Networks Ad Tracking Web Analytics

Digikey (none) Tealium Optimizely
Google Adsense ClickTale
Doubleclick Google Analytics

Mouser Facebook Doubleclick Google Analytics
Google Adsense Google GTM
Mediamind DG
BlueKai
Eloqua
Appnexus
Casale Media
Aggregate Knowledge


Please tell me how you created that list.
Thanks.

I used one of the features of Avast Free Anti-virus which includes a
cookie viewer and manager. The actual list was manually created with
cut-n-paste.

I'm using Windoze 7, Firefox 68.0.1, and Avast 19.6.2383. After
logging into the Mouser web site, the Avast extension to Firefox shows
10 "security issues" on the Mouser home page. As I browse through
other Mouser pages, this number will go up and down. Here's what it
looks like:
<http://www.learnbydestroying.com/jeffl/crud/avast-cookie-mgr.jpg>
Installing a virus scanner just to track cookies is overkill. Your
usenet news header shows that you're using Firefox 52, which is rather
ancient. I think it's possible to find a cookie manager or viewer
extension for Firefox 52, but I don't want to attempt it. There are
plenty of possibles, but many show a minimum Firefox version much
higher than Firefox 52.
<https://addons.mozilla.org/en-US/firefox/search/?q=cookie&platform=WINNT&appver=52.0>
Good luck.




--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

 

[Jeff Liebermann]

On Mon, 29 Jul 2019 18:47:59 -0700, Jeff Liebermann <jeffl@cruzio.com>
wrote:

Please tell me how you created that list.
Thanks.

I used one of the features of Avast Free Anti-virus which includes a
cookie viewer and manager. The actual list was manually created with
cut-n-paste.

I'm using Windoze 7, Firefox 68.0.1, and Avast 19.6.2383. After
logging into the Mouser web site, the Avast extension to Firefox shows
10 "security issues" on the Mouser home page. As I browse through
other Mouser pages, this number will go up and down. Here's what it
looks like:
http://www.learnbydestroying.com/jeffl/crud/avast-cookie-mgr.jpg
Installing a virus scanner just to track cookies is overkill. Your
usenet news header shows that you're using Firefox 52, which is rather
ancient. I think it's possible to find a cookie manager or viewer
extension for Firefox 52, but I don't want to attempt it. There are
plenty of possibles, but many show a minimum Firefox version much
higher than Firefox 52.
https://addons.mozilla.org/en-US/firefox/search/?q=cookie&platform=WINNT&appver=52.0
Good luck.

I found an easier way that might work with Firefox 52 and not require
installing an extension. Go to the Mouser web site. To the left of
the URL in the address box is a small letter "i" with a circle around
it. Click on it. A window should open which offers a list of
Trackers and Cookies.

If you wait a few seconds, a new item will appear at the bottom of
this window offering to "Clear Cookies and Site Data". This is handy
for vaporizing the cookies of sites that off a few free views per
month, but then demand a subscription. You can also clear cookies for
a specific site at:
Tools -> Page Info -> Security -> Clear Cookies and Site Data



--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

 

[speff]

On Monday, 29 July 2019 16:15:50 UTC-4, Winfield Hill wrote:

Robert Baer wrote...

Uwe Bonnes wrote:

today I got a mail from digikey to protect my account and
reset the password. Was It only me, or was there a security
issue at Digikey?

Likely to be a fake and have a nasty payload behind it...

No, it was real, but only if your password was less than
8 characters long. I didn't get an email, but went to
their website immediately got a page saying I needed to
update my password (7 chars), which I did (to 9 chars).


--
Thanks,
- Win

Same here, had to change to a longer password to get onto the site.

--Spehro Pefhany

 

[Carl]

"speff" wrote in message
news:53da28e7-f521-448e-a1c3-532b621182d3@googlegroups.com...

On Monday, 29 July 2019 16:15:50 UTC-4, Winfield Hill wrote:
Robert Baer wrote...

Uwe Bonnes wrote:

today I got a mail from digikey to protect my account and
reset the password. Was It only me, or was there a security
issue at Digikey?

Likely to be a fake and have a nasty payload behind it...

No, it was real, but only if your password was less than
8 characters long. I didn't get an email, but went to
their website immediately got a page saying I needed to
update my password (7 chars), which I did (to 9 chars).


--
Thanks,
- Win

Same here, had to change to a longer password to get onto the site.

So does that mean Digikey stores passwords in the clear, or did they store
the number of characters when the password was created but they only store a
hash of the password that is reasonably non-invertible? If in the clear,
definitely don't reuse that password anywhere else because it is only one
hack away from guaranteed exposure. Even the latter would make a brute
force attach easier.

--
Regards,
Carl Ijames

 

[Dave Platt]

In article <qhqhkn0uir@news2.newsguy.com>,
Carl <carl.ijamesXYZ@ZYXverizon.net> wrote:

So does that mean Digikey stores passwords in the clear, or did they store
the number of characters when the password was created but they only store a
hash of the password that is reasonably non-invertible? If in the clear,
definitely don't reuse that password anywhere else because it is only one
hack away from guaranteed exposure. Even the latter would make a brute
force attach easier.

A more robust approach (and fairly standard these days) is for the
vendor to store the user ID, a random "salt" value (different for
every user), and a hash computed from the salt and the password.

That way, someone who pilfers the database has to try hashing N*M
different things (N possible passwords, M different user-specific
salts) rather than just N. It reduces the utility of precomputed
"rainbow tables" and makes brute-force cracking of a password table
somewhat harder.

You have to use a good hash algorithm to benefit by this, but that's a
pretty well-studied problem these days.

And, the user still needs to use a sufficiently long (and sufficiently
random) password. Using "1234" to password-protect your planetary air
shield remains a bad idea.

 

[Tom Gardner]

On 31/07/19 00:21, Dave Platt wrote:

In article <qhqhkn0uir@news2.newsguy.com>,
Carl <carl.ijamesXYZ@ZYXverizon.net> wrote:

So does that mean Digikey stores passwords in the clear, or did they store
the number of characters when the password was created but they only store a
hash of the password that is reasonably non-invertible? If in the clear,
definitely don't reuse that password anywhere else because it is only one
hack away from guaranteed exposure. Even the latter would make a brute
force attach easier.

A more robust approach (and fairly standard these days) is for the
vendor to store the user ID, a random "salt" value (different for
every user), and a hash computed from the salt and the password.

That way, someone who pilfers the database has to try hashing N*M
different things (N possible passwords, M different user-specific
salts) rather than just N. It reduces the utility of precomputed
"rainbow tables" and makes brute-force cracking of a password table
somewhat harder.

You have to use a good hash algorithm to benefit by this, but that's a
pretty well-studied problem these days.

And, the user still needs to use a sufficiently long (and sufficiently
random) password. Using "1234" to password-protect your planetary air
shield remains a bad idea.

Too complex You choose who to believe...

"According to nuclear safety expert Bruce G. Blair, the US Air Force's Strategic
Air Command worried that in times of need the codes for the Minuteman ICBM force
would not be available, so it quietly decided to set the codes to 00000000 in
all missile launch control centers. Blair said the missile launch checklists
included an item confirming this combination until 1977. A 2014 article in
Foreign Policy said that the US Air Force told the United States House Committee
on Armed Services that "A code consisting of eight zeroes has never been used to
enable a MM ICBM, as claimed by Dr. Bruce Blair.""
https://en.wikipedia.org/wiki/Permissive_Action_Link

 

[Robert Baer]

bitrex wrote:

On 7/29/19 4:15 PM, Winfield Hill wrote:
Robert Baer wrote...

Uwe Bonnes wrote:

today I got a mail from digikey to protect my account and
reset the password. Was It only me, or was there a security
issue at Digikey?

Likely to be a fake and have a nasty payload behind it...

  No, it was real, but only if your password was less than
  8 characters long.  I didn't get an email, but went to
  their website immediately got a page saying I needed to
  update my  password (7 chars), which I did (to 9 chars).



maybe they read that thread about how all passwords of any combination
of alphanumeric characters length 10 and under are trivially breakable
off-line by direct hash and look-up, the rainbow table is only 300 gigs
in size.

and all ASCII character set passwords of length 7 are probably off-line
breakable via brute force exhaustive search in minutes

---and i understand that 15 or less characters is also breakable.
See https://www.cryptool.org/en/cto-highlights/passwordmeter